[2019-08-29 12:23] Daniel Kahn Gillmor <d...@fifthhorseman.net> > > Then I plan to change script to following: > > > > 1 #!/bin/sh > > 2 chown runit-log:adm '/var/log/runit/tor' > > 3 chmod 750 '/var/log/runit/tor' > > 4 umask 0022 > > 5 exec chpst -u runit-log svlogd -tt '/var/log/runit/tor' > > > > The idea is that since /var/log/runit/tor is 750, log files actually can > > only be read by group=adm, even though their permission is 644. > > This looks reasonable and correct to me. I think you can even omit the > "umask 0022" part on line 4: svlogd uses openat() to open its "current" > file with mode 0600 initially, so there's no race condition that leaves > a window where the "current" file will get automatically opened with > too-loose permissions.
Okay. Will do. > Looking at svlogd, it appears that after opening, it deliberately uses > fchmod() to set the mode of "current" to 0644 (and it also sets the > rotated-out file to 0755 at rotation time, i don't know why rotated-out > files are marked executable!). Subject: svlogd, when rotating, sets the log files as executable. Why? From: Jamie Heilman <> Date: Mon, 8 Feb 2016 06:12:27 +0000 This is all based off daemontools' multilog ... https://cr.yp.to/daemontools/multilog.html ... which states: While multilog is running, current has mode 644. If multilog sees the end of stdin, it writes current safely to disk, and sets the mode of current to 744. When it restarts, it sets the mode of current back to 644 and continues writing new lines. When multilog decides that current is big enough, it writes current safely to disk, sets the mode of current to 744, and renames current as an old log file. Thus it's effectively using the mode bits as flag to communicate the state of the application, which while unusual, is harmless. > > Is it okay? Or it opens door for some other tricks, that would allow log > > reading by non :adm users? Or some other problems? > > i don't see any other problems with it! while that doesn't mean it's > problem-free, i think it's an improvement :) Good. How urgent is fix? Can I just upload `dh-runit' into unstable and eventually fix will propagate to affected packages, or I have to request binNMU? -- Note, that I send and fetch email in batch, once in a few days. Please, mention in body of your reply when you add or remove recepients.
